Award-winning news, views, and insight from the ESET security community

McAfee FP news misused for more SEO poisoning

We're now seeing a fiercely concentrated Blackhat SEO campaigns exploiting the McAfee False Positive (FP) problem. Juraj Malcho, our Head of Lab in Bratislava, reports that in a Google search like the one I've screendumped above, he got three malicious hits in the top ten (the same ones captured here: of course, the malicious domain

We're now seeing a fiercely concentrated Blackhat SEO campaigns exploiting the McAfee False Positive (FP) problem. Juraj Malcho, our Head of Lab in Bratislava, reports that in a Google search like the one I've screendumped above, he got three malicious hits in the top ten (the same ones captured here: of course, the malicious domain

Juraj Malcho, our Head of Lab in Bratislava, reports that in a Google search like the one I've screendumped above, he got three malicious hits in the top ten (the same ones captured here: of course, the malicious domain names have been whited out) and 11 in the top 20. Subsequent searches using different search strings are finding even more hits, so right now, Google is well and truly poisoned.

Characteristically, hits at the moment come up with the titles "Mcafee Dat 5958" or "Mcafee 5958", but this has changed since earlier on, and will no doubt change again.

The malicious URLs seem to take the form

[domain name]/[random 5 letter string].php?on=mcafee%20dat%205958

or

[domain name]/[random 5 letter string].php?on=mcafee%205958

Of course, this is likely to change too. They redirect to a site which tries to download fake AV detected as one of the following:

Win32/Adware.VirusAlarmPro

a variant of Win32/Kryptik.DWC trojan

Win32/TrojanDownloader.FakeAlert.ALW trojan

Thanks to Juraj and to Cristian Borghello for their continuing research and information.